Joomla has a security problem: The benefits of centralized contrib hosting

01 Jun 2010

I'm helping a client do a security audit of one of their servers. A couple of their sites are running Joomla, which I have very little experience with, so as part of this I set out to compile a list of available exploits to compare against their Joomla versions and installed components. What I discovered was frankly stunning.

PlatformNumber of exploits
Drupal9
Typo32
Wordpress70
Joomla637

Source: The Exploit Database

It's important to emphasize that just one critical hole in your site is enough, so running Drupal or Typo3 might still get you hacked. However, it's clear that the Joomla community has a very serious security problem. Judging from the number of SQL injection exploits on the list it seems like it might be a question of educating contributors.

I believe that Drupal's low number is a strong testament to the benefits of hosting contributed code on drupal.org. This approach means that:

A low bar of entry for new contributors is great, but can be dangerous without a strong security support structure.

Note: A Swedish version of this entry is available over at the Searchfactory blog.